OSE Joomla Anti-Hacker

From Open Source Excellence Knowledge Base

Version: 2.0
Released Date: 03-Feb-2009
Manual Date: 20-Apr-2009
Author: OSE Security Team. security@opensource-excellence.co.uk
Copyright: Reproduction and redistribution of the document is disallowed without the consent of the author.
Notes: The OSE Security software series is an Open Source software series developed by Open Source Excellence Team.
License: GPL V2, you can install it into UNLIMITED websites FOREVER! No License Restrictions! No more IONCUBE!

Introduction

What’s It?

The Open Source Excellence PHP Joomla! Anti-Hacker is a Joomla! extension which provides an advanced protection for the Joomla! websites, being able to secure you private data, protect your system files from malicious codes and hacking attacks, and it clean virus and infected files. It can be installed as a component on your Joomla! website or on the platform of our OSE Virus Scanner.

It’s suitable for all kinds of websites, including online stores, small business, personal websites, public institutes, etc developed with the Joomla! system. It’s easy to use and has very friendly interface for you to customize for your own demands. The application is competent to perform an advanced protection for your Joomla! system. Further, it can also protect ALL OTHER PHP systems (for instance Joomla!, VirtueMart, Magento, Drupal and WordPress, etc) on the same server.
The major technical features include:

c) If hacking is found and the Risk Score exceed the secure level, the IP will be banned immediately.

d) If Suspicious Hacking behaviour is found for Form Fields and Cookies hacking, the hacking strings in the Form / Cookies value will be stripped and sanitized.

Layer 3: HTTP BlackList System - dynamically linking to a HTTP blacklist database and blocking access based on network masks or IP addresses.

e) Scans users' IPs, once the IP address is located in the HTTP blacklist, the access will be blocked immediately.

Two Types of reactions:

1) Ban + Email Alert: If the hacking triggers Layer 1 protection or exceed the Risk Score in Layer 2 protection, the IP will be blocked, and the alert email will be sent to the administrator.

2) Log + Email Alert: If the Risk Score of the suspicious behaviour is lower than the global setting, the IP will be blocked for monitoring purpose, and the alert email will be sent to the administrator.

Form Field Filtering Enabled - allowing users to filter the content of the form fields in order to prevent XSS attacks.

Whitelist Setting Enabled – Unlike other security software which only provides IP whitelist function, OSE PHP Anti-Hacker also provides the whitelist function for your programs and form fields, so that it gives you the flexibility to user a wide range of software while maintaining a high level of protections.

Contents in the Package

OSE Update Manager – A component which helps you update the latest signature for the Anti-Hacker. It does not only work with the Anti-Hacker, but it also supports the update for all OSE series products.

System Guard – A set of tools to help you change your system setting. It also includes a file audit system to audit files in the system of the OSE Anti-Hacker Joomla Component platform.

Installation

If you have a previous version of the OSE Anti-Hacker Joomla Component installed and you intend to upgrade it to the latest version, please only read section 2.1 and then use the Anti-Hacker Joomla Component as before. If you are a new user and going to make a fresh installation, please read all the contents from section 2.2.

Upgrade from a Previous Version

1. Uninstalling previous components and plug-ins from the backend

Login to your Joomla website Back-end, and uninstall the Anti-Hacker component. Also please manually remove the following folders or files:

Go to the Joomla website Back-end, and install the new version of the Anti-Hacker. You might get more details about the installation in Section 2.2 if the latest release is changed a bit from previous versions.

3. Testing

After finishing all above, please test if the update is successful by entering the following link: www.yoursite.com/index.php?%20union.

Fresh Installation

For Installing the Joomla Component Version of the Open Source PHP Anti-Hacker, what you need to do are the following two steps:

Notes:
com_anti_hacker manages the Blacklist and Whitelist IPs, Whitelist Strings, and Form Fields that required to be filtered.

Please ensure the proper folders are writable before the installation. The folder is “Joomla Root/administrator/”.

2. After installing all the three components listed above, please update the latest signature via the OSE Update Manager.

Select the “Signature” file in the package to install under the Update Manager Panel. After installing it, you will find it in the installation list under the operation section at the bottom of the screen. Click “install”.

Then tick the Signature to install. That’s it.

After installing the Anti-Hacker, please read the following Section Configuration.

Configuration

After installation, you need properly configure the OSE security Suite before activating it to work.

Basic Parameters

Go to the component and the plug-in manager to configure the Anti-Hacker function before the first time use.

1. Configuring Security Level of the Anti-hacker.

The Anti-Hacker Component introduces a 3-Layer protection system and a risk score policy.

A. Layer 1 Protection

The Layer 1 protection is on by default and any activity violating the Layer 1 rules will be 100% blocked.

B. Layer 2 Protection

Under the Layer 2 protection, all violations will be scored from 1 to 100 according the potential harm level, based on which the Anti-hacker decides whether block them. The violation with a higher risk score is more likely to be a real hacking attack and that with a very low risk score has a high possibility to be a FALSE POSITIVE.
The Anti-Hacker function sets layer 2 protection off by default and it allows you to switch it on and configure the appropriate security level which is suitable to your websites by doing the following:
Please access the "Dash Board" of Anti-Hacker component (by going to the Security Suite Backend --> Components --> Anti-Hacker), open the Parameters on your top right corner, adjust the Security Level.

Updater

The security level of Layer 2 protection is optional from Level 1 to Level 10. A higher security level indicates a stricter protection level. For Level n, the software will block all violations with risk scores above (100-10*n). For instance, if you set the security level as 8, it will block violations with scores larger than 20 and those under 20 will be only logged and altered by emails, but won't be blocked. Your websites can get a full protection by setting the security level to Level 10, at which all suspicions blocked.

We recommend you to set the Lay 2 protection to Level 7, which can protect your websites very well and at the same time reduces the possibility of FALSE POSITIVE to a quite low level. However, you can set the security level to any value to match your needs. You may inspect the alert list over a period and find out the optimal level for your websites.

C. Layer 3 Protection

As shown in the above picture, you can configure the Lay 3 (HTTP BL) protection via the same "Parameter" button. You can opt to turn on the Layer 3 protection by ticking "Yes" and go to http://www.projecthoneypot.org/create_account.php to apply a HTTP: black list key.

2. Next, we need to know how to whitelist a program and whitelist a form field, and then whitelist proper strings and form fields to make the Anti-Hacker compatible with your websites. This is one important feature of our Anti-Hacker, which allows you to have the flexibility to use the Anti-Hacker function on any PHP platform. Please read section 5 Whitelisting programs and form fields on the following topics:

After configuring the Anti-Hacker function, you can go to the next step to make the System Guard Component perform "File and system audit" for your website.

File and System Audit

This section introduces how to do the file and system audit using the System Guard of Security Suite. This includes:

Files permissions audit;

System Configuration audit:

Ensuring you are using a non-default administrator username,

Set passwords to protect your administrator folder,

Ensuring the configuration.php file is not writable.

In order to achieve this, we borrow functions from a popular Joomla component - GuardXT (this can be downloaded for free from: http://www.joomlaxt.com/).

Step 1. Audit your files permissions

The System Guard (a modified version of GuardXT) has been installed, and the files of the OSE Security Suite have been audited by default. However, ALL of your other websites if based on a Joomla system are RECOMMENDED to INSTALL this tool to audit your files as well.

Step 2. System Configuration Audit

After completing the file permissions checks, now we need to do the following steps:

* Step 2.1: Ensuring you are using a non-default administrator username

Change the default administrator's username if the super administrator's user name "admin" is still being used by clicking the Change Now link in System Guard in the Default admin user active row.

* Step 2.2: Set a password to protect the administrator

You can follow the instruction in FAQs to setup a password, Anti-Hacker FAQs: How do I set a new password to protect a folder with .htaccess?

Or go to your WEB HOSTING account control panel, check with your web hosting company to see how you can SET A PASSWORD TO PROTECT A DIRECTORY, then set a password to protect the whole OSE Security Suite folder. For example, if your Anti-Hacker is installed in the folder called "home/XXXX/htdocs/osesecurity", please set a password to protect this folder.

* Step 2.3: Change the permission of the configuration file

Simply click the "Change Now" in the "Joomla Server Configuration Check" Section in System Guard, and it will help you to change the permission of the configuration.php to be un-writable.

Please note: If you use the recommended php.ini in System Guard, please note one thing that you may not be able to install further plug-ins if you enable the "open_basedir" in php.ini. If you would like to install further plug-ins, please temporarily remove that line in the php.ini, and once you finish installing new plug-ins, add that line back to the php.ini.

We also recommend you to disable insecure functions for PHP environment. Please view how to do it in the FAQs: How to disable insecure functions for PHP environment?

Activation and Test

There are three methods to activate the Anti-Hacker function. Before you perform one of the activation methods, please notice: replace "/absolute_path_to_antihacker/" with the absolute path of the Security Suite in the following text. The path should be the admin folder under the root folder of Security Suite folder where you install the Security Suite, e.g. "/public_html/osesecurity/administrator/".

First, please go to Components --> System Guard --> Version Checks, it lists the lines for you to add to activate the anti-hacker.
Please use one of the following methods and we would suggest you to choose to use php.ini or .htaccess to activate the anti-hacker in order to have a server-wide protection.

A. Via the php.ini file

Activate the Anti-Hacker through php.ini: you can add the following line to the php.ini file, and copy the php.ini file to the folder or system that you would like to protect:

code

auto_prepend_file=/absolute_path_to_antihacker/administrator/scan.php

B. Via the .htaccess file

If you are using Apache Module and you want to use .htaccess to run anti-hacker, you can add the following line to the .htaccess file, and copy the .htaccess file to the folder or system that you would like to protect:

If you could not activate it through the above methods (even after reading the FAQs, Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker?), please consult your hosting company with regard to how to enable the auto_prepend function to activate it through .htaccess or php.ini, because this will maximize the protection on your websites.

While you are waiting for the hosting company to sort out the above problem, you can use the following method to activate the anti hacker temporarily:

C. Via the index.php file

In the Root folder of the system that you would like to protect, open the index.php, enter the following code in the first line:

After doing one of these activations, we can go to test the Anti-Hacker function. You can test it using the url:

www.yoursite.com/index.php?%20union

Then you will be blocked. The screenshot of what your clients will see is as below. You can customize the blocking message by the "Custom BanPage" function of the Anti-Hacker.

Updater

However, when you successfully login to the backend, sometimes you will find that there is no IP being locked! Why???

That is because our plug-in may change the IP status from "hacking IP" to "suspicious IP" if you can successfully enter into the back end. Then when you successfully enter the Administrator login information, your IP would be removed from the blacklist automatically. Therefore, in that case, you cannot find any blacklist IPs in the backend.

If you would like to know the changes of the IP status, you can log into the phpmyadmin and see how it changes, and also after you login to the backend successfully.

If the Anti-Hacker doesn't return the expected result meaning the activation is not easily successful, please read the FAQs carefully, Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker?

Whitelisting Strings and Form Fields

Since the OSE Security Suite is a common security platform, it only has a basic list of whitelist programs. You may need to define more to make it compatible with your specific systems, websites, and programs. This section introduces how to add more allowed-to-access strings and form fields.

How to Whitelist a Program?

How to Whitelist a Form Field?

In order to maximize the protection, the Anti-hacker of Security Suite will scan and filter content of all form fields for suspicious hacking behaviours. Therefore, if you would like to NOT scan or filter some form fields, you need to add the corresponding name of the form field in the White List Form Fields list.

You may simply need to add the name of the form field into the Whitelist Form Field List in order to ignore scanning the content of this form field. For example, the name of the filed text in the contact form is called "text", and then you could add "text" in one form field as follows:

Updater

Updater

Then save the record, the anti-hacker will NOT filter the content of this form field to see whether that there is suspicious hacking behaviour. Please note that when sometimes the scanner reports FALSE POSITIVES alerts, this function allows you to have more flexibility in Anti-hacker filter rules to fit your system.